CVE-2018-14663

An issue has been found in PowerDNS DNSDist before 1.3.3 allowing a remoteattacker to craft a DNS query with trailing data such that the addition ofa record by dnsdist, for example an OPT record when adding EDNS ClientSubnet, might result in the trailing data being smuggled to the backend asa valid record while not seen by dnsdist. This is an issue when dnsdist isdeployed as a DNS Firewall and used to filter some records that should notbe received by the backend. This issue occurs only when either the'useClientSubnet' or the experimental 'addXPF' parameters are used whendeclaring a new backend.